On December 27, the Department of Homeland Security's Computer Emergency Readiness Team issued a warning about a vulnerability in wireless routers that use WiFi Protected Setup (WPS) to allow new devices to be connected to them. Within a day of the discovery, researchers at a Maryland-based computer security firm developed a tool that exploits that vulnerability, and has made a version available as open source.

WiFi Protected Setup, a standard created by the WiFi Alliance, is designed specifically for home and small business users of wireless networking to easily configure devices without having to enter a long password. Offered as an optional feature on WiFi routers from a number of manufacturers, it automates the setup of the WiFi Protected Access 2 (WPA2) authentication between the router and a wireless device. One of the standard's methods of establishing connection that is supported by all WPS-capable routers is the use of a personal identification number, usually printed on the wireless router itself, to authenticate the device.

But as security researcher Stefan Veihbock found and reported to US-CERT, the PIN implementation is susceptible to "brute-force" attacks because of the way routers respond to bad requests, and the nature of the PIN itself. When a PIN request fails, the message sent back to the wireless device attempting to connect contains information that can help an attacker by revealing whether the first half of the PIN is correct or not—reducing the number of guesses that an attacking system would have to make. Additionally, the last number of the PIN is a checksum for the the rest of the PIN. As a result, an attacker could get the PIN within 11,000 guesses. Veihbock demonstrated the vulnerability with a proof-of-concept tool he wrote in Python, available for download from his site.

That wouldn't be as much of a problem for security if wireless access points locked out devices after repeated bad PIN entries. But on many WPS wireless routers, there is no lockout feature. That means attackers can continue to attempt to connect at their leisure.

And unlike passwords, the PIN is something that can't usually be changed by the router's owner. That presents a huge security loophole for attackers—once they've gained the PIN, they can reconnect at will to the network, even if the administrator has changed the password or service set identifier (SSID) for the network. And on access devices that have multiple radios in them providing network connectivity for different SSIDs with different passwords, the PIN can provide access to all of the wireless networks on the router.

According to a blog post by Tactical Network Solutions' Craig Heffner, this type of attack is one that researchers at the Columbia, Maryland based security firm have been "testing, perfecting, and using for nearly a year." Now the company has released an open-source version of its tool, Reaver, which Heffner says is capable of cracking the PIN codes of routers and gaining access to their WPA2 passwords "in approximately 4 [to] 10 hours." The company also is offering a commercial version of the tool that offers features like a web interface for remote command and control, the ability to pause and resume attacks, optimized attacks for different models of wireless access points, and additional support.

The routers most vulnerable to these attacks—the ones without PIN lockout features—include products from Cisco's Linksys division, Belkin, Buffalo, Netgear, TP-Link, ZyXEL, and Technicolor. None of the vendors has issued a statement on the vulnerability, or replied to inquiries from Veihbock.